You’ve probably heard the modern adage that “it’s not a matter of if your organization will experience a data breach, but when.” Ill-intentioned hackers across the globe are looking for ways to get rich quick by defrauding organizations. And those organizations’ most valuable assets—people—frequently fall prey to such criminals. With cyber insurance, you’ll be better positioned to mitigate the impacts of a cybersecurity incident.
You may be thinking, “if a data breach is inevitable, what’s the point of attempting to be secure?” Or you may think this insurance isn’t relevant to your industry and the data you manage. But the truth is: cyber insurance coverage is relevant to most organizations and data types, and it makes a significant difference in the event of a cybersecurity incident.
Organizations should adopt a two-factor approach: securing your organization and mitigating extra risk through cyber insurance. You need to do both, plan for a breach and protect yourself. Just because you have auto insurance, doesn’t mean you drive recklessly.
Three Reasons You Need to be Secure
There are three reasons all businesses should care about and consider cyber insurance coverage:
1. Cybercriminals are after all types of data.
Cybercriminals find value in almost everything. A recent cyber claims study indicates the following data is at risk:
- Payment Card Industry (PCI) (14%)
- Protected Health Information (PHI) (15%)
- Critical files (15%)
- Personally Identifiable Information (PII) (26%)
- All others (30%)
As you can see, personal information like Social Security Numbers, birthdates, bank account information, credit card information and addresses are highly sought after. Cybercriminals’ main goal is usually identity theft of individuals and businesses. However, nearly every day brings news of cyberattacks of all kinds, even aimless attacks like “Zoombombing.”
You may be surprised to learn the black-market value of various types of data. For example, a recent webinar we conducted discussed that identities could be worth $14 to $18 each. If your data includes dozens or hundreds of individuals’ personally identifiable information, that adds up and is incentive enough for a hacker. Other examples include:
- Skype accounts, valued at $12
- Verified PayPal accounts with balances, valued at $50 to $500
- Medical information, which is extremely valuable because it often remains consistent over time and can be used to submit fraudulent claims with insurance companies
Learn more about how cybersecurity and risk relate to protecting your customer and employees’ personal information.
2. Recovering from a cybercrime is expensive.
The cost of a cybersecurity incident could be in the low hundreds to millions of dollars, according to the cyber claims study. And, as our webinar points out, managing the impact of a cybercrime can get expensive in a hurry.
First, you’ll need incident response and forensic analysis to discover what data was lost. Then, you must handle any mandatory notifications and reports. Further, you’ll likely need to manage public relations and your reputation, and you may lose customers or have diminished customer acquisition rates. On top of that, expect costs associated with counsel and litigation.
For an idea of how this breaks out, the average breach cost was nearly $604,000 in 2018. This average consisted of expenses related to crisis services ($307,000), legal defense ($106,000) and legal settlements ($224,000). Crisis services includes forensics, credit monitoring, notifications, legal guidance/breach coaches and other related expenses.
Calculate the potential cost of a breach to your company’s data using eRiskHub’s sample data breach calculator.
3. Nearly all industries are at risk for cybercrime.
When it comes to cybercrime, small and large businesses of all industries are at risk. Cybercriminals find just as much value in attacking small companies with thousands of dollars available as they do in penetrating large, million-dollar companies. In fact, according to the cyber claims study, 49% of the time, the primary targets are businesses with under $50 million in annual revenue. Companies with less than $2 billion in revenue accounted for 85% of the insurance claims.
This trend is partially due to the expected vulnerabilities of smaller companies. Hackers can assume that smaller companies have fewer protective measures in place, and they can assume similar trends based on industry. For instance, hackers target industrial companies because they tend to have less invested in their security and valuable intellectual property at their fingertips.
The National Cyber Security Alliance found that 1 in 5 small businesses fall victim to cyber crime and 60% of those go out of business within six months (Victor O Schinnerer & Co).
The following industries reported the most incidents for insurance claim purposes:
- Professional services (20%)
- Healthcare (17%)
- Financial services (12%)
- All others (12%)
- Retail (10%)
- Education (7%)
- Nonprofit (6%)
- Technology (6%)
- Manufacturing (4%)
- Hospitality (3%)
- Public entities (3%)
As you can see, cybercrime has an impact on all industries and involves all data types, and it gets expensive quickly. That’s why cyber insurance needs to be part of your mitigation strategy.
With that understanding, what else should be part of your mitigation strategy? And what should you look for in your cyber insurance coverage?
Data Breach Mitigation Tools to Consider
Cybercriminals have stepped up their phishing, spoofing and social engineering game and made it more difficult to distinguish fraud from reality. They’re working hard to deceive others using nefarious business email addresses and ransomware. External threats attempt to penetrate your organization daily, and the criminals’ plan often involves compromising people and computer networks.
Some of the most common sources of cybersecurity incidents are hackers, malware, lost or stolen devices, mistakes made by staff, paper records and rogue employees. And humans tend to be the weakest links, unwittingly opening doors for cybercriminals. Even if you have well-executed plans for cybersecurity, there’s always a chance of an incident. As mentioned above, cybercrime insurance coverage is worth considering as part of mitigating and offsetting accepted risks and cybersecurity liability. But what other tools should you use to mitigate your cybersecurity risks?
Organizations of all sizes have considered the following tools in the past several years:
- Improved, secure hardware and software
- Network security vulnerability and penetration testing
- Pre-breach consultation
- Incident response plan assessments
- Cybersecurity awareness training for employees
- Cybercrime insurance coverage
Proactive cybersecurity assessments identify weaknesses and opportunities to strengthen your network. And formal incident response plans help companies to respond quickly and effectively—critical factors in the event of a breach or attack. However, you must spread cybersecurity awareness and train your staff to recognize suspicious activity to prevent the biggest vulnerability of all: human error.
Understanding Cyber Coverage Basics
Even if you have cyber insurance, you may not know what is and isn’t covered in your policy. For example, do you know if you have cyber liability business interruption and/or crisis management coverage? Many organizations only learn that their policies don’t match their needs when it’s already too late.
Here’s How to Make Sure You Get The Right Coverage For Your Business
This includes factors like the type of data you have and what value it holds, notification requirements you must comply with and specific risks others in your industry have reported. Revisit the list of common expenses associated with a cybersecurity incident. If you can foresee those costs, you can select cyber coverage to mitigate them.
What does cybersecurity insurance cover?
That will depend on your provider and your choices. There are many options:
- Network security liability covers your liability to a third party in such events as the transmission of viruses to their computer systems or your network’s participation in denial-of-service attacks.
- Data privacy liability covers your liability to a third party in the event of unauthorized disclosure of personally identifiable information or third-party confidential information. It also covers defense against regulatory actions.
- Extra expense coverage covers additional expenses incurred above and beyond normal operating expenses to respond to a personal data breach event. This is critical when an incident occurs, as your organization will likely incur additional investigative, legal and crisis management expenses.
- Cyber extortion/ransomware covers expenses related to responding to cyber extortion. These expenses are similar to those covered under extra expense coverage.
- Business interruption insurance covers loss of income as a result of a disaster such as a data breach. In a 2018 survey of cyber insurance market trends, businesses were most interested in purchasing cyber business interruption insurance. This is not surprising; business interruption can be the most devastating consequence of cybersecurity incidents, followed by reputational value. However, not all cyber insurances include business interruption insurance.
- Data asset protection covers expenses related to the replacement, restoration or rectification of corrupted or destroyed data.
Other cyber-specific coverages can include:
- Reputational harm
- Funds transfer/social engineering
- Cyber-related bodily injury and/or property damage
- Multimedia liability
- Errors and omissions
Closely Analyze the Coverage Providers Are Offering.
The cyber insurance industry is booming right now, but it isn’t standardized yet. Not all providers offer the same services or the same level of service, so you want to make sure you choose a provider that can meet all of your needs. If you work with a credible advisor, they can help you understand coverage limitations and other important factors for different providers.
Prepare for Underwriter Expectations.
Be sure to do your homework before you approach your preferred provider. Underwriters will do a “wellness check” of your organization. They’re interested in those elements you’ve likely already addressed in your cybersecurity planning:
- The type of data you have
- Your potential risk
- Your dedicated information security resources
- The policies and procedures you have in place
- Your employee education strategy
- Your incident response plan
- How you manage your vendors
You’ll also want to have discussions with your insurance contact regarding:
- Potential insurance premium reductions for having pre-breach consultations performed
- Listing your incident response provider as your preferred third-party should an incident occur
- Listing your preferred attorney with specialized cyber law knowledge
Cyber Insurance Today
Today, the cyber insurance market is growing as more industries move toward purchasing coverage as part of risk mitigation. The 2018 survey found that news of cyber-related losses was the No. 1 driver of businesses purchasing cyber insurance. Other motivating factors include experiences of cyber-related losses and requirements by third parties, such as a customer. As more businesses purchase cyber insurance, the overall cost of coverage is going down and is now even more accessible to smaller businesses.
Your business produces and operates using data, so it’s imperative you keep that information secure. The goal of your organization should be to identify, implement and execute methods to protect that data. This should include both proactive and reactive strategies, as well as insurance to mitigate the inevitable.